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PUBLIC KEY CRYPTOGRAPHIC METHODS AND SYSTEMS 



Background of the Invention 

(1) Field of the Invention 

The present invention relates generally to cryptography and, more particularly, to 
5 public key cryptographic systems such as RSA. 

(2) Description of the Prior Art 

With the enormous volume of data that is transmitted electronically throughout 
the world, methods for securing the privacy of that data are crucial to the economy. 
Before the 1970s, senders and recipients would need to agree on some sort of secret key 

10 in order to encrypt messages such that they could not be deciphered by unauthorized third 
parties but could still be read by the intended recipient. This sort of symmetric 
cryptography alone i s i nconvenient i n t he Internet a ge, w here i t i s n ot always e asy to 
arrange a meeting to exchange a secret password that will allow for future secure 
communications. Fortunately, p ublic k ey cryptography w as d eveloped in t he 1 ast few 

15 decades by Diffie, Hellman, Rivest, Shamir, and Adelman, among others. 

Public key cryptography allows for the secure exchange of information between 
senders and recipients without the necessity that the two parties first exchange a secret 
key. The recipient simply makes his public key available, which can be used by anyone 
to encrypt a message to him. Once a message is encrypted using the recipient's public 

20 key, only the private key can be used to restore the message to its original state. Only the 
recipient knows his private key, so messages encrypted with the public key are secure. 

The standard methods for public key cryptography were developed by Rivest, 
Shamir, and Adelman (RSA), described in US Patent number 4405829. RSA and its 
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variants provide for encryption of data using a public key and decryption using a private 
key. 

RSA security has been publicly and commercially used for communicating or 
transmitting information, data, documents, messages, and files; however, it is relatively 
5 slow (especially the process of decryption) and computationally intensive. This presents 
problems in many implementations, including servers that receive a large number of 
requests and mobile devices that have a small amount of computing resources available 
to them. The slow speed of RSA is a result of the large numbers required to ensure the 
security of the algorithm. The RSA scheme capitalizes on the extreme difficulty of 
10 factoring a large composite number into its constituent primes. 
RSA and CRT RSA 

RSA consists of three steps: key generation, encryption, and decryption. 
Key Generation 

Key generation starts by deciding on an adequate length for what is called the public 
1 5 modulus N. This choice is dictated by the difficulty of factoring N into its prime factors. 
Right now, N of length 1024 bits is considered a sufficient size to prevent factoring. The 
bit length of N will continue to go up in the future. Next, two random prime numbers 
that are each half the length of N, p and q, are generated. Next, a small odd integer, e, is 
selected such that e is relatively prime to lcm(p-l, q-1). In practice, e is usually chosen to 
20 be 65537. In this paper, we will refer to e as the public exponent and N as the public 
modulus. The RSA public key consists of the two integers (e, N). 
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The private exponent, d, is a multiplicative inverse of e(mod lcm(p-l, q-1)), so 
that e*d = 1 mod (lcm(p-l, q-1)). Often, the private key refers to the set of numbers 
(p,q,d), so d should be referred to as the private exponent rather than as the private key. 
Encryption 

5 To encrypt message X using an RSA public key {e, N}, one must first convert X into an 
integer M using a formatting operation. Encryption of M into ciphertext C is then 
accomplished by calculating C as the remainder after N is divided into M taken to the 
power of e. In equation form, C = M e mod N where M is an integer greater than -1 and 
less than N, 0 < M < N. 
10 Decryption 

To decrypt using the original implementation of RSA, M is obtained by calculating the 
remainder after N is divided into C taken to the power of d. In equation form, M = C d 
mod N. M is then converted back to X by reversing the same formatting operation that 
was used to obtain M from X originally. 

15 It is standard practice now to use the Chinese Remainder Theorem (CRT) for 

RSA decryption. Rather than compute M = C d mod N, one calculates d p = d mod (p - 1) 
and dq = d mod (q - 1). Then, one calculates M p = C d P mod p and M q = C dq mod q. 
Then, one uses CRT to calculate M from M p and M q . This is about four times as fast as 
calculating M = C d mod N directly. For the remainder of this paper, we will refer to this 

20 method of RSA decryption as CRT RSA. 

Since CRT RSA, a handful of improvements to the RSA methodology have been 
made to increase decryption speed. We will touch on each of these methods briefly, with 
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more attention paid to Multi-Prime and Multi-Power RSA, which are more in the field of 
the present invention. 
Multi-Prime RSA 

This method is detailed in US Patent number 5848159. Multi-Prime RSA suggests the 
5 use of more than two distinct prime factors to generate the public modulus N, whereas the 

RSA method traditionally uses only two distinct prime factors. For a modulus N of 

length 1024 bits, Multi-Prime RSA chooses three prime numbers p, q, r that are each one 

third the length of N. The encryption process i s exactly the same as traditional RSA. 

The decryption process for Multi-Prime RSA is relevantly similar to that of CRT RSA, 
10 except that three or more distinct prime numbers are used instead of two. In Multi-Prime 

RSA, like in traditional and CRT RSA, all of the distinct prime factors of the modulus N 

are used for decryption of messages. 

Using multiple prime factors for RSA decryption increases the total number of 

calculations that need to be performed, but each calculation is less intensive since each 
15 prime factor is smaller than in the two-prime implementation. The result is a theoretical 

speedup of b 2 /4, where b is the number of prime factors used. With N of length 1024 bits 

and b set to 3 (the current maximum for security reasons), Multi-Prime RSA achieves a 

theoretical speedup of 2.25 over two-factor CRT RSA methods. 

Multi-Power RSA 

20 This method is detailed in United States Patent Application 20020064278. This method 
is similar to the Multi-Prime method, except that the Multi-Prime method assumes that all 
of the prime numbers that make up the composite number N are distinct numbers. The 
Multi-Power method assumes that N is made up of more than two prime factors, but that 
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N is only made up of exactly two distinct prime factors. So, if N = p*q*r, it is assumed 
that p = q and therefore N = p 2 r. L ike Multi-Prime RS A, encryption i s p erformed in 
exactly the same was as traditional RSA. For decryption, Multi-Power RSA is able to 
capitalize on the fact that there are only two distinct prime numbers. So, only two large 
5 modular exponentiation computations are necessary (there are several smaller 
mathematical operations involved using this technique which are computationally 
negligible), providing increased efficiency over the Multi-Prime method. In Multi-Power 
RSA, like Multi-Prime and CRT RSA, all of the distinct prime factors of the modulus N 
are used for decryption of messages. 
10 The result is a theoretical speedup of b /8, where b is the number of prime factors 

used. With N of length 1024 bits and b set to 3 (the current maximum for security 
reasons), Multi-Power RSA achieves a theoretical speedup of 3.375 over two-factor CRT 
RSA methods. 
Batch RSA 

15 Batch RSA is based on the idea that, in certain situations, two or more decryptions can be 
performed for the time cost of one. In order for this to work, very small public exponents 
must be used (such as 3 or 5). Further, the system only works if encryption is performed 
using different public exponents but the same public modulus. Further discussion of this 
technique is beyond the scope of this paper, but it is another example of a technique to 

20 speed up RSA decryption. With N of length 1024, it speeds up decryption by a factor of 
2 or 3. However, there are many practical drawbacks to batch RSA techniques. 
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Rebalanced RSA 

In s tandard R S A, e ncryption i s m uch f aster t han d ecryption. In m any applications, i t 
would be desirable to change this behavior. Rebalanced RSA simply shifts more of the 
burden to the encryption process by increasing the size of the public exponent e (which is 
5 usually set to 65537), and tries to decrease the size of the private exponents as much as 
possible without creating security problems. Rebalanced RSA can be used in conjunction 
with many of the other methods here, such as Multi-Prime or Multi-Power RSA. 
Hardware 

There are also hardware approaches to speeding up RSA decryption. These methods 
10 consist of designing special processors or other hardware that is designed specifically for 
the type of modular arithmetic operations that RSA requires. Most hardware methods 
can be used in conjunction with the algorithmic methods described above. 

Despite the existence of several software and hardware implementations for 
improving the overall speed of the decryption process in public key cryptography, there is 
15 still a need for continued improvements to the existing body of work. Faster decryption 
algorithms provide direct value in many situations, since companies that formerly needed 
two or three servers to handle decryption may now only need one etc. Given the fact that 
nearly all secure Internet traffic (SSL) current utilizes public key encryption/decryption, 
the present invention will provide great utility to the market. 

20 
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Summary of the Invention 

The present invention discloses methods for improving the computational 
efficiency and overall capabilities of RSA and related public key cryptographic systems. 
In prior art, decryption of messages that are encrypted using a public key {e, N} is 
5 always achieved using all of the distinct prime factors of N. For example, the private 
exponent d is usually calculated such that e*d = 1 mod Z, where Z is the product of each 
of the prime factors of N minus 1. In addition, RSA implementations that employ the 
Chinese Remainder Theorem (CRT) also use each of the distinct prime factors of N as 
moduli in small modular exponentiations that are combined to perform decryption. The 

10 present invention discloses several methods where the prime factors used for decryption 
are a proper subset of the prime factors in the modulus N, or the prime factors of the 
modulus used for encryption are a proper superset of the prime factors used for 
decryption. The techniques proposed in the present invention not only provide for a 
substantial increase in the computational speed of RSA decryption, but also open the door 

1 5 for exciting new applications of public key cryptography. 

Accordingly, one aspect of the present invention is to provide a public key 
cryptosystem having a predetermined number of prime factors used for the generation of 
a modulus N and an exponent e, which may be generated in a variety of ways, wherein a 
proper subset of the prime factors of the modulus N, along with the exponent e, are 

20 required to decrypt messages encrypted using the public exponent e and the public 
modulus N , w here e a nd N a re c alculated u sing R S A m ethods, a nd e ncryption o ccurs 
using RSA methods. 
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Another aspect of the present invention is to provide a method for 
encrypting/decrypting messages including the steps of: providing a public key 
cryptosystem having a predetermined number of prime factors used for the generation of 
a modulus N and an exponent e; wherein less than all of the prime factors of the modulus 
5 N are required to decrypt messages, documents, files, and/or data capable of being 
encrypted using the public exponent e and the public modulus N, where e and N are 
calculated using RSA methods, and encryption occurs using RSA methods. 

Yet another aspect of the present invention is to provide a public key 
cryptosystem where a set of prime numbers S are sufficient for decryption of messages 
10 that are encrypted using a modulus N p , calculated as the product of a set of numbers that 
is a proper superset of S, and a public exponent e, where encryption occurs with standard 
RSA methods using the e and N p . 

Still another aspect of the present invention provides a method for 
encrypting/decrypting messages where a single prime number, p, and a public exponent e 
15 are used to decrypt messages encrypted using a modulus N p , calculated as the product of 
a set of numbers that is a proper superset of p, and the public exponent e, where 
encryption occurs with standard RSA methods using e and N p . 

Still another aspect of the present invention provides a method for encryption with 
a public key {e, N} where a plaintext message M is encrypted into a ciphertext message 
20 C using any method that produces a value equivalent to C = M e mod (N*X), where N is 
the public modulus and X is any integer greater than 1. 

Still another aspect of the present invention provides a method for decryption of a 
message that has been encrypted with the public key {e, N} where a ciphertext message 
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C is decrypted into a plaintext message M using any method that produces a value 
equivalent to M = C d mod Nd, where N<j is the product of less than all of the prime factors 
of the public modulus N and d satisfies the equation e*d = 1 mod Z, where Z is the 
product of each of the k prime factors of Nd minus 1, (pi - 1)*. . .(pk - 1). 
5 These and other aspects of the present invention will become apparent to those 

skilled in the art after a reading of the following description of the preferred embodiment 
when considered with the claims. 

DETAILED DESCRIPTION OF EMBODIMENTS OF THE PRESENT INVENTION 

For the present invention, the term messages is defined and used herein to include 
10 information, documents, files, and/or data that are preferably, but not necessarily, in 
electronic form. 

The present invention provides a system for encrypting and/or decrypting 
messages, preferably electronic messages, including a public key cryptosystem where 
decryption is performed using less than all of the prime factors of the modulus used for 

15 encryption, along with the public exponent e. 

One embodiment of the present invention provides a method for 
encrypting/decrypting messages including the steps of: providing a public key 
cryptosystem having a predetermined number of prime factors used for the generation of 
a modulus N and an exponent e; wherein less than all of the prime factors of the modulus 

20 N are required to decrypt messages capable of being encrypted using the public exponent 
e and the public modulus N, where e and N are calculated using RSA methods, and 
encryption occurs using RSA methods. 
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Another embodiment provides a method for encrypting/decrypting messages 
including the steps of: 

Encrypting a plaintext message M into a ciphertext message C using any method 
that produces a value equivalent to C = M e mod N, where 0 < M < Nd, such that the 
5 ciphertext C can be decrypted into the plaintext message M using only e and the prime 
factors of Nd 

N being the product of all of the numbers in the set S; 

S being a set of at least two prime numbers, pi . . .p k , where k is an integer greater 

than 1; 

10 e preferably being a small prime number, alternatively e being a number that is 

relatively prime to the product of each distinct prime factor of N minus 1, (Ni - 1)*. ..(Nj 

- 1) for distinct prime factors of N 1 to j, where j is the number of distinct prime factors 
inN; 

Sd being a proper subset of S; 
1 5 Nd being the product of all of the numbers in the set Sd. 

Preferably, a method for decrypting encrypted messages comprising the steps of: 

determining if a derived modulus Nd is a squarefree number, meaning that its 
prime decomposition contains no repeated factors, and if so, 

decrypting ciphertext C into message M using any method that produces a value 
20 equivalent to M = C d mod N d , where d is generated using the following steps: 

Calculating the number Zd as the product of each prime factor of Nd minus 1, (N<n 

- 1)*. . .(Ndj - 1) for prime factors of N d 1 to j, where j is the number of prime factors in 
N d ; 

10 
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generating the exponent d such that the following relationship is satisfied: e*d = 1 
mod Z d . 

In one embodiment, the plaintext message M is restored by directly calculating M = C d 
mod Na. 

In another embodiment, M is restored using the steps of: 

calculating separate decryption exponents d nd i . . .d n dj for all prime factors of Nd 1 
to j, where j is the number of prime factors in Nd so that the following relationship is 
satisfied for each member of Nd: e*d n di = 1 mod (N d i - 1); and 

performing decryptions of the form Mj = C dndi mod N d i for all prime factors of Nd from 1 
to j, where j is the number of prime factors in N d , and then using the values of each Mi 
and Ndi to reconstruct M. These steps for reconstructing M from each value of Mi and Ndi 
are preferably performed using the Chinese Remainder Theorem and/or Garner's 
algorithm, such as set forth in the references C. Vuillame Efficiency Comparison of 
Several RSA Variants , which are incorporated herein by reference in their entirety. 

Alternatively, a method for decrypting encrypted messages including the steps of: 
decrypting the ciphertext message C to the plaintext message M by determining if the 
derived modulus N d is squareful number, meaning that its prime decomposition contains 
at least one square, and if so; 

calculating separate decryption exponents d nd i . . .d n dj for all distinct prime factors of Nd 1 
to j, where j is the number of distinct prime factors in N d so that the following 
relationship is satisfied for each distinct member of N d : e*d n di = 1 mod (N d i - 1); 
for each distinct prime factor of N d , Ndi, calculating a value bdi as the number of times 
that Ndi occurs as a prime factor in Nd; 
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calculating Mj for each distinct prime factor of Nd, N di ; 

and using all values of Mj, N di) d nd i, and b di to restore the plaintext message M. The 
method of calculating Mi for each distinct prime factor of N d , N d i is preferably performed 
using Hensel Lifting, such as set forth in the references C. Vuillame Efficiency 
Comparison of Several RSA Variants , which are incorporated herein by reference in their 
entirety. The restoration of the plaintext message M from the values of M i5 N d i, d nd i, and 
b d i is preferably performed using techniques such as the Chinese Remainder Theorem 
and/or Garner's algorithm. 

Another embodiment of the present invention includes a method for 
encrypting/decrypting messages, including the steps of: 

Encrypting a plaintext message M into a ciphertext message C using any method 
that produces a value equivalent to C = M e mod N p , where 0 < M < N, such that the 
ciphertext C can be decrypted into the plaintext message M using e and the prime factors 
ofN 

N being the product of all of the numbers in the set S; 

S being a set of at least one prime number, pi . . .p k , where k is an integer greater 

than 0; 

S p being a proper superset of S; 

N p being the product of all of the numbers in the set S p ; 

e preferably being a small prime number, or alternatively, e being a number that is 
relatively prime to the product of each distinct prime factor of N p minus 1, (N p i - 
l)*...(N pj - 1) for distinct prime factors of N p 1 to j, where j is the number of distinct 
prime factors in N p ; 
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Preferably, a method for decrypting encrypted messages including the steps of: 
Decrypting the ciphertext message C into the plaintext message M by determining 
if the modulus N is a squarefree number; and if so then, 

decrypting ciphertext C into message M using any method that produces a value 
equivalent to M = C d mod N, where d is generated using the following steps: 

Calculating the number Z as the product of each prime factor of N minus 1, (Ni - 
1)*. . .(Nj - 1) for prime factors of N 1 to j, where j is the number of prime factors in N; 

then generating the decryption exponent d such that the following relationship is 
satisfied: e*d = 1 mod Z ; 

In one embodiment, M is directly calculated as M = C d mod N. 

In an alternative embodiment, M is calculated including the steps of: 

calculating separate decryption exponents di . . .dj for all prime factors of N 1 to j, 
where j is the number of prime factors in N so that the following relationship is satisfied 
for each member of N: e*di = 1 mod (Ni - 1); and 

performing decryptions of the form M\ = C di mod Ni for all prime factors of N 
from 1 to j, where j is the number of prime factors in N. Next, the values of each Mi and 
Ni are used to reconstruct M, preferably using the Chinese Remainder Theorem and/or 
Garner's algorithm. 

Alternatively, a method for decrypting encrypted messages comprises the steps 

of: 

Decrypting the ciphertext message C to the plaintext message M by determining if the 
derived modulus N is squareful number; if so then, calculating separate decryption 
exponents d n i . . .d nj for all distinct prime factors of N 1 to j, where j is the number of 
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distinct prime factors in N so that the following relationship is satisfied for each distinct 
member of N: e*d n j = 1 mod (Nj - 1); 

for each distinct prime factor of N, Nj, calculating a value bj as the number of 
times that Nj occurs as a prime factor in N; 

Preferably using Hensel Lifting to calculate Mi for each distinct prime factors of 

N,N i; 

and preferably using the Chinese Remainder Theorem and/or Garner's algorithm 
to use each value of Mi, H, bi and d n j to restore the plaintext message M; 

In still another embodiment of the present invention, encrypting/decrypting 
messages including the steps of: 

Encrypting a plaintext message M into a ciphertext message C using any method 
that produces a value equivalent to C = M e mod N p , where 0 < M < N, such that the 
ciphertext C can be decrypted into the plaintext message M using e and the prime factors 
ofN 

N being the product of all of the members of set S; 

S being a set of at least two numbers, pi . . .p k where k is an integer greater than 1 
and all members of S are equal to p s , which is a prime number; 
S p being a superset of S; 

N p being the product of all of the numbers in the set S p ; 

e preferably being a small prime number, or alternatively, e being a number that is 
relatively prime to the product of all of the distinct prime factors of N p minus 1, (N p i - 
1)*. ..( N p j - 1) for distinct prime factors of N p 1 to j, where j is the number of distinct 
prime factors in N p ; 
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Preferably , decryption of encrypted messages includes the steps of: 
Decrypting the ciphertext message C to the plaintext message M by: 

Calculating b as the number of times that the number p s occurs as a prime factor 

inN; 

5 Generating an exponent d such that the following equation is satisfied: 

e*d = 1 mod (p s - 1); 

Using Hensel Lifting to transform C into M with d, p s , and b as input values. 

In still another embodiment of the present invention, a method for crytographic 
communications is disclosed, including the steps of: 
10 Encrypting a plaintext message M into a ciphertext message C using any method that 

produces a value equivalent to C = M e mod N p , where 0 < M < p, such that the ciphertext 
C can be decrypted into the plaintext message M using e and p 

p being a prime number; 

S being a set containing only the number p; 
1 5 S p being a superset of S; 

N p being the product of all members of the set S p ; 

e preferably being a small prime number, or alternatively, e being a number that 
is relatively prime to the product of each distinct prime factor of N p minus 1, (N p i - 
1)*. . .( N P j - 1) for distinct prime factors of N p 1 to j, where j is the number of distinct 
20 prime factors in N p ; 

Preferably, decryption of encrypted messages comprises the steps of: 
Decrypting using any method that produces a value equivalent to as M = C d mod p, 
where d is generated using the following step: 

15 
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Calculating d such that the following equation is satisfied: 
e*d= 1 mod (p - 1); 

In another embodiment of the present invention, a method for establishing 
cryptographic communications is disclosed, including the steps of: 
5 calculating a composite number N, which is formed from the product of distinct prime 
numbers S, pi,. . .pk where k > 1. Encoding a plaintext message M, to a ciphertext 
message C, where M corresponds to a number representative of a message and 0 < M < 
S; generating an exponent e, which is preferably a small prime number but can 
alternatively be established as any number that is relatively prime to the product of each 
10 distinct prime factor of N minus 1, (Nj - 1),. . .(Nj - 1) for distinct prime factors of N 1 to 
j, where j is the number of distinct prime factors in N; transforming said plaintext, M, 
into said ciphertext, C, where C is developed using any method that produces a value 
equivalent to C = M e mod N, such that ciphertext C can be decrypted into plaintext M 
using only e and S. 

1 5 Decryption of messages encrypted in such a way is performed by: 

decoding the ciphertext message C to the plaintext message M, wherein said decoding 
includes the step of: transforming said ciphertext message C to plaintext M, using any 
method that produces a value equivalent to M = C d (mod S), where d is generated such 
that e*d= 1 mod (S - 1); 

20 Another embodiment of the present invention discloses a system for encrypting 

and decrypting electronic communications including a network of computers and/or 
computer-type devices, such as personal data assistants (PDAs), mobile phones and other 
devices, in particular mobile devices capable of communicating on the network; 

16 
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generating at least one private key and at least one public key, wherein the at least one 
private key is determined based upon any one of a multiplicity of prime numbers that 
when multiplied together produce N, which is the modulus for at least one of the public 
keys. 

Another embodiment of the present invention discloses a method for public key 
decryption where less than all of the distinct prime factors of a number N are used to 
decrypt a ciphertext message C into plaintext message M, where encryption occurs with 
the public key {e, N} using any method that produces a value equivalent to C = M e mod 
N. 

Another embodiment of the present invention discloses a method for public key 
encryption with a public key {e, N} where a plaintext message M is encrypted into a 
ciphertext message C using any method that produces a value equivalent to C = M e mod 
(N*X), where N is the public modulus and X is any integer greater than 1. 

Another embodiment of the present invention discloses a method for public key 
decryption of a message that has been encrypted with the public key {e, N} where a 
ciphertext message C is decrypted into a plaintext message M using any method that 
produces a value equivalent to M = C d mod N<j, where N<j is the product of less than all of 
the prime factors of the public modulus N and d satisfies the equation e*d = 1 mod Z, 
where Z is the product of each of the k prime factors of N d minus 1, (pi - 1)*. . ,(p k - 1). 

Yet another embodiment of the present invention discloses a method for public 
key decryption of a message that has been encrypted using any method that produces a 
value equivalent to C = M e mod N, where a ciphertext message C is decrypted into a 
plaintext message M using any method that produces a value equivalent to M = C d mod 
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Na, where Nd is the product of less than all of the prime factors of the public modulus N 
and d satisfies the equation e*d = 1 mod Z, where Z is the product of each of the k prime 
factors of Nd minus 1, (pi - l)*...(pk - 1). 

Generally, decryption methods according to the present invention are paired with 
5 particular encryption steps such that decryption is accomplished using the encryption 
exponent e and less than all of the prime factors of the encryption modulus, as set forth in 
the following design examples, which are provided for the purpose of illustrating 
methods of the present invention, without limiting it expressly thereto. 

Design Examples 
10 Example #1 

Generating prime numbers p and q as the members of set S, and calculating N = p*q. 
It is preferred that p is set to the minimum bit length, given existing security constraints 
and the expected message size, and that q is set to a bit length such that the bit length of 
N reaches its recommended size. 
15 Calculating e as a small prime number, such as 65537. 
Including p as the only member of the proper subset, Sd. 
Setting Nd = p. 

Calculating the private exponent d such that e*d = 1 mod (p - 1). 
Encrypting plaintext M into ciphertext C as C = M e mod N, where 0 < M < Nd. 
20 Decrypting ciphertext C into plaintext M as M = C d mod N d . 
Example #2 

Generating prime number p as the only member of set S, and setting N = p. 
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It is preferred that p is set to the minimum bit length given existing security constraints 

and the expected message size. 

Calculating e as a small prime number, such as 65537. 

Creating the set S p as a proper superset of set S containing members p and q, and 
5 calculating N p = pq. It is preferred that q is large enough so that the bit length of the N p 
reaches its recommended size. 

Calculating the private exponent d such that e*d = 1 mod (p - 1). 
Encrypting plaintext M into ciphertext C as C = M e mod N p , where 0 < M < N. 
Decrypting ciphertext C into plaintext M as M = C d mod N. 
10 Example #3 

Generating prime number p and choosing the members of set S as {p,p}, and setting N = 

P • 

It is preferred that p is set to the minimum bit length given existing security constraints 
and expected message size. 
15 Calculating e as a small prime number, such as 65537. 

Creating the set S p as a proper superset of set S containing members {p,p,q}> and 
calculating N p = p 2 q. It is preferred that q is large enough so that the bit length of the N p 
reaches its recommended size. 

Calculating the private exponent d such that e*d = 1 mod (p - 1). 
20 Encrypting plaintext M into ciphertext C as C = M e mod N p , where 0 < M < N. 
Decrypting ciphertext C into plaintext M by: 
Precomputing the value e_invj> = e" 1 mod p; 
Calculating C s = C mod p 2 ; 



19 



Atty# 1360-002 

Calculating Mi = C s d " 1 mod p; 
Calculating Ko = (Mi*C s ) mod p; 
Calculating A = (C - Ko e ) mod p 2 ; 
Calculating M2 = (Mi* A) mod p 2 ; 
5 Calculating M3 = (M2*e__inv_p) mod p 2 ; 

Decoding plaintext message M = (M3+ Ko) mod p 2 ; 
Example #4 

Generating distinct prime numbers p and q, and choosing the members of set S as {p,q}, 
and setting N = p*q. 
10 Calculating e as a small prime number, such as 65537. 

Creating the set S p as a proper superset of set S containing members {p,q,r}, and 
calculating N p = pqr, with q chosen so that that N is a squarefree number (all prime 
factors are distinct). 

Calculating the private exponent d such that e*d = 1 mod (p - l)(q - 1). 
15 Encrypting plaintext M into ciphertext C as C = M e mod N p , where 0 < M < N p . 

Decrypting ciphertext C into plaintext M by: 

Calculating M p = M mod p; 

Calculating M q = M mod p; 

Calculating p_inv_q = p" 1 mod q; 
20 Calculating V = (M q - M p ) mod q; 

Calculating Vi = V*p_inv_q mod q; 

Calculating Mi = V*p mod N; 

Calculating plaintext M = (Mi + M p ) mod N; 
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Example #5 

Being provided a public key {e, N}; 
Generating a number X as a large prime number; 

Encrypting a plaintext message M into a ciphertext message C as: C= M e mod (N*X); 
Provided that M < X and M < N, decryption can occur in either of two ways: 
M = C d modN, using the private key that corresponds to the public key {e, N} 
Or 

M = C dx mod X, where d x is calculated such that e* d x = 1 mod (X - 1) 

Certain modifications and improvements will occur to those skilled in the art upon 
a reading of the foregoing description. All modifications and improvements have been 
deleted herein for the sake of conciseness and readability but are properly within the 
scope of the following claims. 
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